project work in the identity space – co-creator of IdentityServer & IdentityModel OSS projects – co-Founder of Duende Software slides https://speakerdeck.com/duendesoftware email [email protected]
and authenticity protection – an attacker could, for example, modify the scope of access requested or swap the context of a payment transaction by changing scope values • There is no mechanism to ensure confidentiality of the request parameters – although HTTPS is required, request data passes through the user agent in the clear, and query string data can inadvertently leak to web server logs and to other sites via the referrer. • Authorization request URLs can become quite large, especially in scenarios requiring fine-grained authorization data/scopes • Allowing to package the whole authorize request into a URL opens the door for all kinds of click/phishing attacks
management (maybe in addition to existing client secret) – crypto and JWT creation in client application • lack of client library support – increased size of URLs
URLs shorter – works around browser limitations – performance improvement opportunities GET /authorize?client_id=client& request_uri=https://client.example.com/jwt_req/<id>